From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 11 Apr 2023 06:04:04 +0000 (+0200)
Subject: BUG/MEDIUM: resolvers: Force the connect timeout for DNS resolutions
X-Git-Tag: v2.8-dev8~192
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5220a8c5c453b780caea6aaefa30734019785d69;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: resolvers: Force the connect timeout for DNS resolutions

Timeouts for dynamic resolutions are not handled at the stream level but by
the resolvers themself. It means there is no connect, client and server
timeouts defined on the internal proxy used by a resolver.

While it is not an issue for DNS resolution over UDP, it can be a problem
for resolution over TCP. New sessions are automatically created when
required, and killed on excess. But only established connections are
considered. Connecting ones are never killed. Because there is no conncet
timeout, we rely on the kernel to report a connection error. And this may be
quite long.

Because resolutions are periodically triggered, this may lead to an excess
of unusable sessions in connecting state. This also prevents HAProxy to
quickly exit on soft-stop. It is annoying, especially because there is no
reason to not set a connect timeout.

So to mitigate the issue, we now use the "resolve" timeout as connect
timeout for the internal proxy attached to a resolver.

This patch should be backported as far as 2.4.
---

diff --git a/src/resolvers.c b/src/resolvers.c
index 632d906113..692099554d 100644
--- a/src/resolvers.c
+++ b/src/resolvers.c
@@ -3245,7 +3245,7 @@ void resolvers_setup_proxy(struct proxy *px)
 	px->conn_retries = 1;
 	px->timeout.server = TICK_ETERNITY;
 	px->timeout.client = TICK_ETERNITY;
-	px->timeout.connect = TICK_ETERNITY;
+	px->timeout.connect = 1000; // by default same than timeout.resolve
 	px->accept = NULL;
 	px->options2 |= PR_O2_INDEPSTR | PR_O2_SMARTCON;
 }
@@ -3714,8 +3714,11 @@ int cfg_parse_resolvers(const char *file, int linenum, char **args, int kwm)
 			}
 			if (args[1][2] == 't')
 				curr_resolvers->timeout.retry = tout;
-			else
+			else {
 				curr_resolvers->timeout.resolve = tout;
+				curr_resolvers->px->timeout.connect = tout;
+			}
+
 		}
 		else {
 			ha_alert("parsing [%s:%d] : '%s' expects 'retry' or 'resolve' and <time> as arguments got '%s'.\n",